Data retention: Drug busts biggest use of ‘metadata’

Drug-related investigations are by far the most common reason for law-enforcement organisations to access information covered by Australia’s data retention regime.

In the period between the new data retention rules kicking in — 13 October 2015 — and the end of the 2016 financial year, law-enforcement agencies self-authorised the disclosure of so-called metadata on 57,166 occasions in relation to criminal investigations of drug offences.

Homicide investigations were a distant second — 25,245 authorisations — followed by ‘miscellaneous’ (12,716), robbery (11,795) and fraud (11,282). Criminal investigations of terrorism offences, commonly cited as one of the key drivers for introducing data retention, resulted in 4,454 authorisations.

The federal government today made public the long-await annual report for FY16 on the use of powers covered by the Telecommunications (Interception and Access) Act 1979. The 2015-16 report is the first since Australia’s data retention laws came into effect, with the new regime delaying the report’s release.

Almost 83 per cent of the telecommunications data accessed by police agencies since data retention kicked in was zero to three months’ old; less than 1 per cent was 21-24 months old (under the data retention rules, relevant data must be retained for 24 months).

The new report covers the 12 months ending 30 June 2016. Data retention began on 13 October 2015, so this edition of the report also includes data on the organisations that accessed metadata under the old rules.

Between 1 July 2015 and 12 October 2015, 63 agencies accessed the kind of telecommunications data that now covered by the new regime.

“Telecommunications data” is often dubbed “metadata”. It does not include the content of a communication but instead covers data such as the parties involved in a communication, the means of communication, and when a communication took place.

Before data retention was introduced, metadata could be accessed by any agency that met the definition of “enforcement agency” under the TIA Act. That definition included any organisation that enforced a criminal law, a law imposing a pecuniary penalty or a law that protected public revenue.

The TIA Act annual report covers both “historical” (“existing”) telecommunications data as well as “prospective data” (that is, data that comes into existence while an authorisation is in force).

Under the data retention rules, the number of organisations that have warrant-free access to metadata has dropped to 21: State, territory and federal police forces and anti-corruption bodies, as well as the Australian Crime Commission, the Department of Immigration and Border Protection (DIBP), the Australian Securities and Investments Commission (ASIC) and the Australian Competition and Consumer Commission (ACCC).

Under the regime set out in the amended TIA Act, these agencies are defined as “criminal law-enforcement agencies”. In the period covered by the report, collectively the organisations authorised the 332,639 disclosures of historical data. That figure represents a drop from 2014-15 figure of 360,771.

The authorisations cover three broad situations: Enforcing a criminal law, enforcing a law that imposes a pecuniary penalty or the protection of the public revenue, and locating a missing person. By far the most common use of metadata is the first of these categories.

NSW Police was the most prolific user of metadata for criminal investigations, authorising 105,710 disclosures (down from 114,111 in the prior year), followed by Victoria Police (82,034, down up from 66,663), WA Police (35,350, down from 36,310), Queensland Police (29,271, down from 40,710) and the Australian Federal Police (25,640, down from 27,442).

The report also reveals the extraordinary gamut of organisations that accessed telecommunications data prior to data retention commencing: At a federal level, the Australian Taxation Office, Australia Post, the Australian Financial Security Authority, the Department of Agriculture, the Department of Foreign Affairs and Trade, the Australian Health Practitioner Regulation Agency, the Department of Defence, the Department of Human Services, the Department of Social Services and Fair Work all accessed telco data.

At a state and territory level, 15 organisations accessed data under the old rules during the period 1 July to 12 October 2015 in order to enforce a criminal law; they included a number of state government departments, branches of the RSPCA, Worksafe Victoria, and Hume City Council.

Nineteen state and territory organisations issued authorisations in the same period for the purposes of enforcing “a law imposing a pecuniary penalty or the protection of the public revenue”, including two local councils, Racing NSW, Racing and Wagering WA and two state offices of fair trading.

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.